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Abstract 
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*^ We investigate implementations of biometric cryptosystems pro- 

"^Ih tecting fingerprint templates (which are mostly based on the fuzzy 

r->^ vault scheme by Juels and Sudan in 2002) with respect to the security 

CS| they provide. We show that attacks taking advantage of the system's 

false acceptance rate, i.e. false-accept attacks^ pose a very serious risk 
— even if brute-force attacks are impractical to perform. Our obser- 
vations lead to the clear conclusion that currently a single fingerprint 
is not sufficient to provide a secure biometric cryptosystem. But there 
remain other problems that can not be resolved by merely switching 
to multi-finger: Kholmatov and Yanikoglu in 2007 demonstrated that 
it is possible to break two matching vault records at quite a high rate 
via the correlation attack. 

We propose an implementation of a minutiae fuzzy vault that is 
QQ inherently resistant against cross-matching and the correlation attack. 

Cn Surprisingly, achieving cross-matching resistance is not at the cost of 

t^^ authentication performance. In particular, we propose to use a ran- 

^+ domized decoding procedure and find that it is possible to achieve a 

^^ GAR = 91% at which no false accepts are observed on a database 

en generally used. Our ideas can be adopted into an implementation of a 

. . multibiometric cryptosystem. All experiments described in this paper 

^ can fully be reproduced using software available for downloadr] 
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1 Introduction 

In a traditional password-based authentication scheme, user names along 
with their respective passwords are stored on a server-side database. In 
such a scenario, we usually cannot prevent the fact that some persons will 
have access to the content of the database. Such persons (for example, 
system administrators) are thus able to read the password information re- 
lated to enrolled users. To prevent them from using password information 
to impersonate authorized users, a non-invertible transformatioEpI (e.g., a 
one-way hash function) of each password is stored rather than the unpro- 
tected password. During authentication, the user sends his password to the 
service provider, which computes the password's non-invertible transforma- 
tion. Next, the service provider compares the transformation that is stored 
in the database with the just-transformed password. If both agree, the au- 
thentication attempt is accepted; otherwise it is rejected. So a would-be 
thief cannot find the passwords in the database; he must either steal them 
from users or guess them. 

However, a password can be forgotten or, if written down, can be stolen. 
To prevent these risks, many individuals attempt to create easily memorable 
passwords. Unfortunately, this often results in the individual choosing a 
weak password, typically constructed using personal information (e.g., a 
birthday or the name of a significant other), which increases the risk of 
others' guessing the password — and therefore, of theft. 

A popular alternative to password is to base authentication on biometrics 
such as fingerprints. Authentication protocols that incorporate biometric 
templates do not have the disadvantage that they can be forgotten or lost: 
Barring injuries, fingers are always with us; moreover, fingerprint features 
remain reasonably invariant over time. 

If a biometric authentication scheme is in place the incorporated tem- 
plates have especially to be stored protected. The situation is rather serious, 
because biometric templates may correspond to human beings with nearly 
unique precision compared to mere passwords. In addition, ineffective pro- 
tection of biometric templates has consequences beyond breach of privacy, as 
compared to protecting passwords: For example, if a password is corrupted 
(e.g., discovered by others) it can be replaced easily compared to replacing 
a biometric template. 

While the requirements for so-called biometric template protection schemes 
are similar to those used for protecting passwords, they are more difficult 
to achieve: With high confidence it must be efficiently verifiable whether 
a provided biometric template matches the template that is encrypted by 
the stored data; furthermore, it must be computationally infeasible to de- 

^ Non-invertible transformation of a password means that it is easy to transform the 
password, while on the contrary the derivation of a password from a given transformation 
is computationally hard. 



rive the unencrypted biometric template from the stored data. There is one 
great difference between password and biometric authentication schemes: 
Contrary to passwords different measurements of the same biometric source 
will differ, while also having some reasonable similarity. These differences 
between two biometric templates of the same individual can be usefully con- 
ceptualized as deviations or errors. In this vein, there have been proposals 
for biometric template protections schemes that couple techniques from tra- 
ditional cryptography with techniques from the discipline of error- correcting 
codes. 

1.1 The Fuzzy Vault Scheme 

In 2002, Juels and Sudan proposed the fuzzy vault scheme [I] which is a 
construction for protecting noisy data. While the fuzzy commitment scheme 
[2], which was proposed by Juels and Wattenberg in 1999, requires the data 
to be presented as a fixed-length feature vector, the fuzzy vault scheme 
allows the length of the data to vary and the data to be unordered. These 
properties enable the fuzzy vault scheme to protect fingerprint templates 
such as fingerprint minutiae. It works as follows. 

Enrollment 

Given a fingerprint template containing t fingerprint features, e.g., minutiae, 
its elements are encoded as elements x in a fixed finite field F. One chooses 
a secret message polynomial / G F[X] in the indeterminate X of degree 
smaller than k and evaluates /(x) at the encoded element x. The genuine 
pairs (x,/(x)) are dispersed among a large set of chaff points that do not 
lie on the graph of /, such that a vault of size n is built. 

Authentication 

Using a second genuine template one aims at distinguishing the genuine 
points from the chaff points. Given the points are mainly genuine, one can 
tolerate errors within certain limits determined by error-correcting codes 
|3H6l. 



Security 

From the difficulty of the problem of distinguishing genuine from chaff (with- 
out the help of a second genuine template) the fuzzy vault scheme draws its 
security. This problem can be reduced from the polynomial reconstruction 
problem which is believed to be hard in general if t ^ \/{f^ — 1) • n 17- 
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1.2 The Fuzzy Fingerprint Vault 

There are several biometric traits which can be used in biometric authen- 
tication systems (see [12| for an overview). Every biometric discipHne is 
associated with very individual challenges which have to be solved before 
incorporating them into a biometric template protection scheme. One bio- 
metric trait that can be extracted from humans are his fingerprints [13| . 
This papers focuses on fingerprints and examines their adequacy of being 
protected by the fuzzy vault scheme. Even though there are other biometric 



template protection schemes 14 and implementations for fingerprints 15 
the fuzzy vault scheme is the most dominant and promising scheme for which 
implementations to protect fingerprints have been proposed. 

Implementations 

Several fuzzy vault variants for protecting fingerprint minutiae templates 



can be found in the literature 116 - 23 



To increase vault practicability as well as security, Nagar et al. (2008, 



2010) [22,23 proposed to fuse a fingerprint's minutiae template with in- 
formation about its ridge orientation and frequency by means of minutiae 
descriptors |24| . In distinguishing genuine from chaff minutiae an attacker 
has in addition to guess the respective minutiae descriptors. This adds some 
security to the base vault implementation. 

All the implementations above require an alignment step where the query 
minutiae templates are aligned to the vault. This is very challenging since 
the enrolled templates are protected. Currently, the alignment is realized 



by techniques using auxiliary alignment data, e.g., see [19 20 . The use of 
auxiliary alignment data, however, may cause security issues resulting in the 
leakage of information from the protected fingers. 

Another interesting approach is to use alignment-free features, i.e. fea- 
tures that do not dependent of the finger's rotation or displacement. Li et 
al. (2010) [25] proposed to fuse minutiae local structures [26] with minutiae 
descriptors i24i and to protect them by the fuzzy vault scheme. The recog- 
nition performance that the authors report is promising and the error-prone 
step of aligning the query fingerprint to the vault is circumvented. Further- 
more, the problem of information leakage by auxiliary alignment data does 
not exist anymore. 

1.3 Content and Contribution of the Paper 

After we described the functioning of a minutiae fuzzy vault in more detail 
(Sectional) we investigate the security of implementations from the literature 
in different attack scenarios (Section^. Reproducing the work of Mihailescu 
et al. (2009) |27j we show that brute-force attacks can be very practical to 



perform against most implementations (see Section 3.1) 



But even if brute-force attacks are infeasible to perform, there remains 
the possibihty of the attacker to run an attack that takes it advantage out of 
the system's false acceptance rate, i.e. false-accept attack; also see Section 
26.6.1.1 in [28]. We show that false-accept attacks are even much easier to 



perform than brute-force attacks (see Section 3.3 ). Note that the false-accept 
attack is not restricted to the fuzzy vault scheme but it can be applied with 
virtually no modifications to every authentication scheme. Its attack success 
rate only depends on the system's false acceptance rate and the average time 
needed to run an impostor recognition attempt. Therefore, our observations 
clearly advocate that biometric cryptosystems merely based on a single fin- 



ger cannot provide effective security. Rather multi-finger cryptosystems 29 
(or even multibiometric cryptosystems |30| ) should be developed. 

For the fuzzy vault scheme there remains a problem that can not be 
solved merely by switching to multibiometrics. Given two matching in- 
stances of a minutiae fuzzy vault to an adversary he can correlate them; 
genuine minutiae tend to agree well in comparison to chaff minutiae, which 
are likely to be in disagreement. Thus, an intruder may reliably deter- 
mine whether two vault records match, i.e. cross-matching. Even worse, 
via correlation the adversary can try to distinguish genuine minutiae from 
chaff minutiae. If in this way a set of vault minutiae can be extracted that 
contains a reasonable proportion of genuine minutiae, then the vault can 
efficiently be broken. Consequently, this attack is called correlation attack. 
Scheirer and Boult (2007) were the first who have drawn the attention to the 



risk of attacking fuzzy vault via record multiplicity 31 . Then Kholmatov 
and Yanikoglu (2008) have demonstrated the practicability of the correla- 
tion attack [32]. Therefore, in Section El we propose an implementation of 
a minutiae fuzzy vault that is inherently resistant against cross-matching 
and the correlation attack. Fortunately, cross-matching resistance can be 
achieved without decreasing the verification performance as we found in a 



test on a fingerprint database publicly available (see Section 4.4). This is 
mainly due to a randomized decoding procedure that we propose. 

A final discussion, conclusion, and an outlook are given in Section [5] 
All experiments described in this paper can fully be reproduced using 
software that we made available for download.l^^ 



2 Minutiae Fuzzy Vault Implementation 

Assume tha we are given a minutiae template {(a, 6, 9)} where (a, b) and 9 
denote its position and angle, respectively. Using the fuzzy vault scheme we 
may protect the template as follows. 



2.1 Enrollment 

We describe the vault construction analogous to Nandakumar et al. (2007) 



20 with some minor modifications. 



As in 20 , only well-separated minutiae are selected. Furthermore, only 
the t < tmax minutiae of best quality that are well-separated are selected 
for vault construction. If it is not possible to select at least a certain num- 
ber of tmin minutiae, the enrollment is aborted and a failure to capture is 
reported. Otherwise, the construction continues as follows. To hide the 
selected genuine minutiae Tgen, a set of chaff minutiae Tchaff is generated 
at random fulfilling the following side conditions: First, each chaff minutia 
has the property that it is well-separated from all other vault minutiae — 
genuine and chaff; second, a chaff minutia's position lays within the corre- 
sponding fingerprint image's region; third, the number of chaff minutiae is 
such that the vault minutiae reach a predefined size n > t, i.e. n — t chaff 
minutiae are generated. The union of genuine and chaff minutiae is referred 
to as the vault minutiae Tvauit = ^gen U Tchaff- 

After the vault minutiae have been established, a secret is encoded as a 
polynomial / of degree < k having coefficients in a fixed finite field F = Fg of 
size q > n. Now, list the vault minutiae as (oq, bo, Oq), . . . , (a„_i, bn-i, On-i) 
by some convention, e.g., by sorting them in lexicographical order. By 
xq, . . . , Xn-i G F denote n distinct elements of the finite field. In this way, 
each list index i = 0, . . . , n — 1 uniquely encodes an element in F. Now we 
build the genuine set as G = {{xi, f{xi)) \ {ai,bi,6i) E Tgen}. Analogously, 
the chaff set is defined as C = {{xj,yj) \ {aj, bj, 9j) E Tchaff} where the yj s 
are chosen uniformly at random such that yj ^ f{xj). The union V = GuC 
builds the vault points. 

The protected template is published as the triple (V, Tvauiti ^(/)) where 
h{f) denotes a cryptographic hash value of / (e.g., SHA-1) to allow safe 
recovery of / at genuine authentication. 

Note, that there is a one-to-one correspondence between the vault V and 
the vault minutiae T^auit- Thus, given a genuine minutia we also know its 
corresponding vault point and vice versa. In this respect, our construction is 
different from the construction of Nandakumar et al. (2007) who encode the 
minutiae information on the x-coordinate of its corresponding vault point. 
Another difference of our construction is that we use a SHA-1 hash value 
instead of constituting the secret polynomial with redundancy bits. 

2.2 Authentication 

On authentication, a query template of the (alleged) genuine user is pro- 
vided. As on enrollment, only well-separated minutiae of good quality are 
selected (again, at most tmax)- For simplicity, we assume that the query 
minutiae are correctly aligned to the vault. We extract those vault minu- 
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Figure 1: (a) Genuine (red) and chaff minutiae (gray); (b) each minutia is 
encoded on a vault point's abscissa where its ordinate binds the minutia to 
the secret polynomial 

tiae that are well approximated by aligned query minutiae. In this way, we 
establish the unlocking set U which consists of those vault points that cor- 
respond to the just extracted minutiae. Let t be the size of the unlocking set 
U. There are (^) combinations of selecting k different unlocking points. For 
each combination, the interpolation polynomial /* G F[X] is computed and 
it is checked whether its hash value agrees with the hash value of the correct 
polynomial, i.e. if h{f*) = h{f). If true then f* = f with overwhelming 
reliability and /* is output as the correct polynomial which corresponds to a 
successful authentication. Otherwise, if all h{f*) ^ h{f) the authentication 
attempt is rejected. 



2.3 Alignment 

There have been proposals to ease aligning the query minutiae to the vault 
such that matching vault minutiae agree with their respective query minutiae 



(see 17,19,20,33,341). All of these proposals leak information about the 



corresponding fingerprint, e.g., about some of its minutiae or its orientation 
field. Moreover, it is not clear to what extent auxiliary alignment data can 
help an adversary to find matching vault correspondences via cross-matching 



(see Section 3.5). 



Ideally, fingerprints can be pre-aligned such that matching query minu- 
tiae already agree with genuine vault minutiae. However, pre-alignment 
is currently not very robust. But increasing robustness of fingerprint pre- 



alignment would automatically increase the practicability of a minutiae fuzzy 
vault implementation without decreasing its overall security. Therefore, al- 
though challenging, it seems to be worth to search for more robust pre- 
alignment procedures. Alternatively, suitable alignment-free features can 
be used for constructing the vault (see p5]). 

Due to open questions related to vault alignment, if we investigate vault 
performances, we assume a well-solved alignment framework for genuine 
authentication. Consequently, if an authentication of a genuine user is sim- 
ulated, the alignment is obtained by aligning the query minutiae template 
to the enrolled template in clear. On an impostor authentication, we do not 
make any attempts in aligning the query template to the vault. 

2.4 Evaluation Database and Protocol 

Throughout, we used the FVC 2002 DB2 databasqj for our performance 
evaluations as it is the common database used to evaluate fingerprint fuzzy 
vault implementations. 

We strictly follow the FVC protocol |35| even though in the literature the 
implementations are evaluated following a protocol in where the number of 
observed impostor recognition attempts is artificially increased 18-20|[22|[23 



^51. But this would not correspond to statistically independent observations. 



As already described in Section 2.3, on an genuine authentication at- 



tempt we assert that the query finger is correctly aligned by aligning both 
fingers in clear; for an impostor recognition attempt, we do not make any 
attempts for alignment. 

Genuine acceptance rates and false acceptance rates will be denoted by 
GAR and FAR, respectively. Furthermore, throughout the literature the 
genuine acceptance rate incorporating the first two impression of each fingers 
only are reported. This corresponds to the scenario in where the fingerprints 
are of good quality which positively affects the genuine acceptance rates. 
Therefore, to allow for comparing our genuine acceptance rates with other 
implementations, we will also keep track of the genuine acceptance rate 
w.r.t. the subset of the database. The corresponding genuine acceptances 
rates are indicated by sub-GAR. 

The minutiae templates that we used have been obtained using a com- 
mercial extractor o 

2.5 Performance Evaluation 

We evaluated the vault performances for different k on the FVC 2002 DB2 
database following the FVC protocol (see |35|) using parameters adopted 
from Nandakumar et al. (2007). They propose to hide at most tmax = 24 

^The database consi sts o f 8 impressions each acquired from a total of 100 fingers. 
■^Verifinger SDK 5.0 Ise] 



Table 1: Performance Evaluation of our minutiae fuzzy vault re- 
implementation using parameters adopted from Nandakumar et al. (2007) 
|20l 
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L vault of siz 
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Example 1. For example, if k = 9 then the genuine acceptance rate was 
determined as GAR ~ 74.61% and the false acceptance rate as FAR ~ 
0.56%. The total number of genuine authentication attempts and impostor 
authentication attempts was 2749 and 4856, respectively. FTCR ~ 3.88% 
of the enrollments were aborted, because it was not possible to select at least 
train = 18 Well- Separated minutiae. 

The genuine acceptance rate measured on the finger's respective first two 
impressions was found to be sub-GAR ~ 92% at a failure to capture rate of 
sub-FTCR= 1%. 



Note that our rates differ from those reported in 20 . This is due to the 



use of a different authentication scheme than 20 as well of the fact that we 
decoupled the alignment from the vault. 

We will use the re-implementation to demonstrate the effectiveness of 
the false-accept attack in Section [3 .31 Note, even in the case that we would 
use auxiliary automatic alignment data to ease alignment, an attacker does 
not have to account for it; our false acceptance rates reflect the success rate 
of such a corresponding attack. 



""Two minutiae (a, b, 9) and {a , b' , 9') are said to be well-separated if ||(a, b) — {a', 6')||2 + 
0.2 • maxde - 9'\, |360° -9 + 9'\) > 25. 



2.6 Fuzzy Vault with Minutiae Descriptors 

To improve the practicability as well as the security of the construction 
in (20], in addition to mere minutiae, Nagar et al. (2008, 2010) (22}|23 
proposed to incorporate minutiae descriptors in constructing the vault. 

A minutia's descriptors consists of the ridge orientation (relative to the 
orientation of the minutia) and ridge frequency of points arranged around 
the minutia (see Fig. ^. The authors showed how a minutia descriptor can 
be quantized as an m-bit vector w £ {0, 1}'". Furthermore, the correspond- 
ing vault points {x,y) £ F x F ordinate value y is encoded as a codeword 
c(y) of a binary error-correcting code of length m which is capable in cor- 
recting u (say) errors. The fuzzy commitment [2] of c(y) using the witness 
w is computed next, i.e. c{y) + ty|j Rather publishing the vault point (x, y) 
the tuple (x, c{y) + w) is published instead. For chaff points the ordinate 
values are protected using random descriptor binarizations from a pool of 
chaff descriptors. 




Figure 2: Minutiae descriptors — thickness and orientation of yellow lines 
correspond to ridge frequency and orientation descriptor, respectively; the 
orientation fields and frequency images to visualize were estimated using the 



methods in p57] and 38 , respectively. 



On authentication, the unlocking points (x, c{y) + w) are extracted as 
in the basic vault. Using the minutiae descriptor w' G {0, 1}™ of the cor- 
responding query minutia, the difference c{y) + w — w' is computedj^ If 
w' is sufficiently similar to w, i.e. if they differ in at most v positions, the 
difference c{y) + w — w' can be corrected to c{y) which encodes the correct y. 
Therefore, in addition to sufficiently many genuine vault points among the 



Addition is performed bitwise modulo 2 which is equivalent to a bitwise xor operation. 
''Note that addition modulo 2 is the same as subtraction modulo 2, i.e. c(y) + w — w' = 
c{y) + w + w' . 
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unlocking set it is required that their correct ordinate values can be recov- 
ered. This will be the case, if a minutia descriptor with sufficient similarity 
to the genuine descriptor can be found. Thus, for the vault to successfully 
unlock there is required more agreeing information of the query template to 
the enrolled template and thus the basic vault's security is improved. 

Next, we investigate the security of different fingerprint fuzzy vault im- 
plementations from the literature. 

3 Attacks 

3.1 Brute- Force Attack 

While attack scenarios involving brute-force attacks are analyzed throughout 
the literature they frequently lack of emphasizing how practical these naive 
attacks can be. In this section, for parameters adopted from implementa- 
tions found in the literature we determine the expected number of computer 
time that is expected to be required for a successful brute-force attack. 
Therefore, we briefly reproduce the work of Mihailescu et al. (2009) [27] 
to emphasize the practicability of brute- force attacks against current imple- 
mentations of the fuzzy fingerprint vault; for a smart polynomial reconstruc- 
tion approach we refer to Choi et al. (2011) |39|. Afterwards we modify the 



attack for the implementation of Nagar et al. (2008, 2010) ^,23 . 

Assume that an intruder has intercepted a vault of size n in which t 
genuine vault points are contained laying on the graph of a common poly- 
nomial of degree < k. Furthermore, we assume that a cryptographic hash 
value h{f) of the correct polynomial is publicly available to the adversary. 
To find the correct polynomial, the intruder 1) may guess k random vault 
points, 2) determine its interpolation polynomial /*, and 3) check whether 
h{f*) = h{f): If true, the attacker has found the correct polynomial with 
overwhelming reliability; otherwise, he repeats the attack until a polynomial 
/* with h{f*) = h{f) is found. 

The probability that a random choice of k vault points yields the correct 
polynomial is bf(n, t, k)~^ where 

"(«.*-*)=(*)(0 '■ <'> 

Thus, after 

log(0.5)/log(l-bf(n,t,fc)-i) (2) 

iterations the adversary can expect to find the correct polynomial. 

Example 2. For example, if {n, t, k) = (224, 24, 9) (which are parameters as 
proposed by Uludag and Jain 2006 \T^ ) the adversary can expect to success- 
fully break the vault after ^ 2^^ iterations using Formula ^. For F = F216 
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Table 2: Expected computational timings for running a successful brute- 
force attack on a 3.2 Ghz desktop computer with four processor cores against 
different vault parameters found in the literature 
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< 17 hours 
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«227 


183,188.8 


< 3 min 


It 


(224,24,9) 


«23i 


148,634.1 


< 50 min 


It 


(224,24,11) 


^2^^ 


109,066.9 


< 11 days 




34 




(440,40,13) 


«2'*8 


82,056.84 


< 18 years 


tt 


(440, 40, 14) 


«252 


69,227.56 


< 325 years 



we experimentally determined that it is possible to perform 148,634.1 it- 
erations in one second of the above brute-force attack. Thus, if four pro- 
cessors/cores are used by the attacker he can expect to be successful after 
~ 49 min. 

We empirically determined expected times for a successful brute-force 
attack for parameters from different implementations from the literature. 
The results are listed in Table [H We find that brute-force attacks can 
become practical to perform easily — even on a standard desktop computer. 
Related work can be found in |27l|39|. 



3.2 Attack against Fuzzy Vault with Minutiae Descriptors 



To break instances of the implementation of Nagar et al. (2008,2010) [22 23 



the attacker must act differently in choosing a candidate polynomial /* 
because the vault points ordinate values are protected. Therefore, we assume 
that the adversary has access to a large pool of minutiae descriptors. 

3.2.1 Decoupling the Vault from Protected Ordinate Values 

For each protected vault point (x, c{y) +w) (chaff and genuine) the attacker 
iterates through the descriptor pool. For each descriptor w' G {0, 1}™' the 
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difference c{y) + w — w' is computed and then an attempt is made to decode 
c{y) + w — w' to its nearest codeword c(y'). There are three possible cases: 

i) The attacker can correct to the right c{y) and thus obtains the correct 
ordinate value y; 

ii) he obtains another codeword c(y') 7^ c{y) and thus an incorrect ordi- 
nate value y' ^ y; 

iii) the difference cannot be corrected to any codeword. 

While iterating through the descriptor pool, the attacker establishes a set 
of candidate ordinate values. For simplicity, we assume that the correct 
ordinate value can be found in the candidate set for each vault point. By 
{y'} denote such a candidate set. For the attacker to select a candidate 
polynomial, he may randomly choose k distinct vault points and, in addition, 
for each vault point a random candidate ordinate value. 

To estimate the probability that such a candidate polynomial yields the 
correct polynomial, we first estimate the expectation of the size of the can- 
didate set for random vault points (x,c(y) -|- w). 

An important tool to achieve this is the sphere packing density of the 
underlying binary error-correcting code, which can be defined to be the 
probability that a random m-bit word can be corrected to a valid codeword. 
Therefore, by i denote the number of codewords. Then its sphere packing 
density is 



where u denotes the code's error-correcting capability. We argue with 23 
that the difficulty in guessing a random minutiae descriptor is i2 ~ 4.27. 
Therefore, we estimate the expectation of the number of of candidate ordi- 
nate values for each vault point as S = 1 + (R — 1) ■ p. Thus, we estimate 
the brute-force security as 

S^-bf(n,t,/fe). (4) 

3.2.2 Evaluation of the Attack 



For the implementation of 23 in where the ordinate values are protected via 
a (511, 19)-BCH code, which can correct v = 119 errors, the corresponding 
sphere packing density is p ~ 1.3 • 10~^^. Thus, we expect the number of a 
vault point's candidate ordinate values tohe S = 1 + (R — l) ■ p ^ 1 + 4.25 • 
10"^'^. Consequently, the estimated brute-force security for vault parameters 
(n, t, k) = (224, 24, 9) is S^ ■ bf (n, f , k) ^ 2.54 • 10^ which corresponds to 31 
bits. In comparison, the brute-force security for the base implementation 
without protected ordinate values is bf (n, t, k) k. 2.54 • 10^ which is almost 
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the same. Thus, there is virtually no improvement in protecting the vault 
points ordinate values if the code's sphere packing density is too small. As 
a counter measure, the use of two other BCH codes of higher sphere packing 
density have been investigated in [23] with a measurable improvement in the 
brute-force security. The corresponding evaluations can be found in Table 

El 



Table 3: Brute-force securities of the implementation of Nagar et al. (2010) 
for different choices of BCH codes and for different polynomial degrees. The 



genuine acceptance rates have been extracted from Figure 7 in 23 in where 



the false acceptance rates have been indicated as to be very close to 0. 



poly- 
nomial 
degree 



k = 7 
k = 8 
k = 9 
k = W 
k = ll 
k = 12 



BCH(511,19) 



brute- 
force 
security 



224 
227 
231 
235 
239 
243 



sub- 
GAR 



95% 
94% 
93% 



70 

78% 



BCH(31,6) 



brute- 
force 
security 



227 
231 
235 
239 

244 
248 



sub- 
GAR 



94% 
93% 
93% 

87% 
81% 
77% 



BCH(15,5) 



brute- 
force 
security 



234 
240 
245 

250 

256 
261 



sub- 
GAR 



93% 
93% 
91% 
85% 
76% 
73% 



3.3 False-Accept Attack 

Brute-force attacks can definitely be improved. For example, one may use 
statistics of fingerprints to accelerate brute- force attacks. Assuming that the 
statistics of fingerprints is best reproduced by real fingers, making heuristic 
considerations one may conclude that an attack that takes advantage out of 
the system's false-acceptance rate FAR yields the system's overall security. 
In any case, such an attack yields an upper bound of the system's overall 
security and is a hint for the existence of a similar efficient statistical attack. 

In the scenario of a false-accept attack we assume that an adversary 
who has intercepted a vault also has access to a sufficiently large database 
containing fingerprint templates. 

Then the adversary may try to recover the protected template from the 
vault off-line by simulating authentication attempts using the templates in 
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the database as the queries. For a random query template, with probabil- 
ity FAR the vault will unlock and reveal the protected key and template. 
Thus, the adversary can expect to successfully break the vault after he has 
simulated log(0.5)/log(l — FAR) authentication attempts. If the average 
impostor decoding time IDT is known then the computational cost for a 
successful false-accept attack can be estimated as 

log(0.5)/ log(l - FAR) • IDT . (5) 

Example 3. For example, assume that an adversary has intercepted a minu- 
tiae fuzzy vault as in Section^ with k = 9. With Table^ we may assume 
that FAR ~ 0.56% and IDT ~ 0.198 sec. Thus, the adversary can expect to 
successfully break the vault after only ~ 24.6 sec. If four processors/ cores 
are used in parallel the time furthermore reduces to approximately 6.15 sec. 
In comparison to the brute-force attack, which takes ~ 49 min on the same 
computer, the false-accept attack turns out to be the better choice for the 
adversary and thus poses the more serious risk. 

3.3.1 Confidence of the False Acceptance Rate 

In the above example we assumed that the false acceptance rate was FAR ~ 
0.56%. This is because we observed 27 false accepts among 4, 856 simulated 
impostor authentication attempts and thus FAR = 27/4, 856 ~ 0.56%. But 
actually, the observation of a false accept is the result of a random sample. 
Assume that we observed s false accepts among A^ impostor recognition 
attempts. Let FAR* = s/N be the point estimation for the false acceptance 
rate. We can only be absolutely certain that FAR G (0%, 100%) but, roughly 
speaking, it is not very likely that the true false acceptance rate differs from 
FAR* too much. To estimate the confidence of FAR*, a useful concept is 
the one of confidence intervals. 

Definition 1 (Confidence Interval). Let FAR be the system's true (but un- 
known) false acceptance rate. For a fixed 7 S (0%, 100%] let FARq < FARi 
such that FAR* G [FARo,FARi] for 1007% of all point estimations FAR*. 
The interval [FARo,FARi] is called 7-confidence interval for FAR. 7 is 
called confidence levePj of the interval [FARo,FARi]. 

There are methods that compute confidence intervals for a given confi- 
dence level 7 when s false accepts within N impostor recognition attempts 
have been observed. These are, for instance, the Clopper-Pearson inter- 
vals (401. 



Example 4. The 95%-Clopper-Pearson confidence interval for the false ac- 
ceptance rate in Examplel^ is [0.36%, 0.81%], i.e. if s = 27 false accepts 



A popular choice for a confidence level is 7 = 95%. 
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Table 4: Performance of the false-accept attack against the implementa- 
tion of Section [2] using the parameters of the performance evaluation. The 
timings are have been determined on a 3.2Ghz desktop computer with four 
processor cores. 



length 


point 


avg. 


95%- 


expected 


expected 


of 


estimation 


impostor 


confidence 


time 


time 


secret 


of the 


decoding 


interval 


for a 


for a 


pol. 


false 


time 


for the 


successful 


successful 




acceptance 




false 


false- 


brute- 




rate 




acceptance 


accept 


force 








rate 


attack 


attack 


k 


FAR* 


IDT 


[FARo,FARi] 






= 7 


188/4,856 


0.08 sec 


[3.33%, 4.45%] 


0.31 5ec-0.41 sec 


« 11.4 sec 


= 8 


79/4, 856 


0.140 sec 


[1.29%, 2.02%] 


1.19 sec-1.87 sec 


« 2.97 min 


= 9 


27/4, 856 


0.198 sec 


[0.37%, 0.81%] 


4.22 sec-9.33 sec 


~ 49.4 min 


= 10 


8/4,856 


0.240 sec 


[0.07%, 0.32%] 


12.8 sec-58.4 sec 


~ 13.9 hours 


= 11 


5/4,856 


0.248 sec 


[0.03%, 0.24%] 


17.9 sec-2.14 min 


« 10.2 days 


= 12 


0/4,856 


0.193 sec 


[0.00%, 0.06%] 


> 54.2 sec 


^ 6.6 months 



among N = A, 856 impostor recognition attempts have been observed. As a 
consequence, with a confidence of 95%, the expected time needed to perform 
a successful false-accept attack is between « 4.23 sec and « 9.33 sec. 

3.3.2 Rule of Three 

Assume we observed ,3 = false accepts among N impostor recognition 
attempts. Even if a point estimation yields a false acceptance rate of 0% 
this estimation is not very confident. The rule of three enables an easy way 



to estimate a 95%-confidence interval in this case (see 41 , 42 



Theorem 1 (Rule of Three). The interval [0,3/A^] is a confidence interval 
of confidence level at least 95%. 

3.3.3 Evaluation 

Example 5. Assume an adversary has intercepted a minutiae fuzzy vault 
as in Sections with k = 12. The rule of three states that (with confidence 
95%j we can only expect the true false-acceptance rate to be FAR ~ 0.06%. 
Thus, with an impostor decoding time of IDT ~ 0.193 sec using Formula [^ 
the adversary can expect to successfully break the vault after ~ 3 min 37 sec. 
If four processors/cores are used in parallel he may be successful even after 
« 54.2 sec. 
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For the implementation in Section [2] we estimated the expected compu- 
tational time of a successful false-accept attack. The way we estimated the 
expected times is analogous to the estimations in Example [4] and Example 
[5l The results can be found in Table HI 

3.3.4 Evaluation against Alignment-Free Fuzzy Fingerprint Vault 

For the alignment-free fuzzy fingerprint vault implementation of Li et al. 
(2010) [25] where (n, t, k) = (440, 40, 13) a false-acceptance rate of 0.04% 
was reportedjj The authors estimate the false- acceptance rate as a point 
estimation by observing N = 34, 650 impostor authentication attempts 
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Therefore, we assume that s = 14 false-accepts were observed in their experi- 
ment. The 95%-Clopper-Pearson confidence interval for the false-acceptance 
rate thus is [0.0221%, 0.0678%]. Furthermore, the authors report an aver- 
age decoding time of 0.192 secFH Consequently, using Formula ([5| a false- 
accept attack may consume between 49 sec and 2.51 min of computer time 
if four processors/cores are used. In comparison to the brute-force, which 
is expected to require « 20 years (see Table [2]) , the time for a successful 
false-accept attack is negligible. Moreover, the time is far away from being 
acceptable for a secure system. 

For A; = 14 no false-accepts were observed by the authors. The rule 



of three (see Section 3.3.2) states that (with a confidence of 95%) the true 
false acceptance rate is < 0.0087%. Assuming IDT = 0.192 sec we can 
only expect the false-accept attack to require approximately 6.4 min which 
strongly contrasts an alleged security of 52 bits. 

3.3.5 Evaluation against Fuzzy Vault with Minutiae Descriptors 

If a vault was intercepted by an intruder in where the ordinate values are 



protected with minutiae descriptors (see Section 2.6) the false-accept at- 
tack can be run without modifications. For example, if A; = 12 using the 
(15, 5)-BCH code, no false accepts have been observed within 9, 900 impos- 



tor authentication attempt in 23 ^^ Thus, with the rule of three we can 



only expect the true false acceptance rate to be FAR < 0.03%. By our 
experiments (see Table [l]) we assume an average impostor decoding time of 
IDT = 0.193 sec. Consequently, we can only expect a false-accept to last 
log(0.5)/log(l — FAR) • IDT k, 7 min. If all four processors are used in 
parallel, the time furthermore reduces to ~ 2 min. 

Let us discuss another interesting point. In [23| it is reported that if the 
(511, 19)-BCH code is used to protect the ordinate values of the construction 



®We refer to Table 3 and 4 in 25 in where the sum rule is used for similarity measure- 
ment between vault features and query features. 

^^ Actually, these are not statistically independent. 

^^The decoding times were reported for genuine authentication attempts only. For 
simplicity, we assume that it agrees with impostor decoding time. 

17 



of pO] the false acceptance rate drops from 0.7% to 0.01%. At a first glance, 
this may lead to the conclusion that the security is improved by a factor 
of « 70. But this is not true: An adversary may decouple the basic vault 
construction from the protected ordinate values due to a very low sphere 
packing density. More precisely, the expected number of a protected vault 



point's ordinate value is estimated as 5 = 1 + 4.25- 10~^^ (see Section 3.2.2). 
Assuming that each vault point's correct ordinate value is contained in the 
candidate set, we set 5' = 5 — 1 as the expected number of wrong ordinate 
values. Using Markov's inequality, the probability that there is at least 
one wrong candidate is less than S' = 4.25 • 10~^^. Thus, the probability 
that decoupling the protected ordinate values to yield an instance of the 
basic vault without protected ordinate values is (1 — S")" = (1 — 5')^^^ ^ 
1 — 9.52 • 10^^^ which is overwhelming. Consequently, if the sphere packing 
density of the underlying error-correcting code is too small, protecting the 
ordinate values causes virtually no improvement against the false-accept 
attack. 

3.4 Intermediate Discussion 

Our investigations clearly show that biometric cryptosystems that are based 
on a single fingerprint cannot provide sufficient security — unless the false 
acceptance is reduced to a cryptographic negligible level: It is very easy to 
break a single fuzzy fingerprint vault using the false-accept attack. This 
highly advocates that a secure fingerprint cryptosystem must be based on 
multiple finger — or even finger in combination with other biometric modal- 
ities. 

There remain problems with the fuzzy fingerprint vault that can not be 
solved merely by switching to multiple fingers and that have to be resolved 
first. These are the problems of cross-matching and the correlation attack. 

3.5 Cross-Matching and the Correlation Attack 

One of the most serious risks the fuzzy fingerprint vault is concerned with 
is its high vulnerability to cross-matching. 

Cross-matching is always possible by, for instance, the brute-force attack: 
One of the vaults is attacked to reveal its template; this template is then 
used to open the other vault; if successful, both vaults are considered to 
match. While such an approach is always possible, there exists a more 
efficient method to separate genuine points from chaff points, if two vaults 
protecting the same finger are given: By correlating the vaults, genuine 
minutiae have a bias to be in agreement in both vaults while chaff minutiae 
are likely to be separate. An example illustrating this approach is given by 
Figure [3} 

While correlation has the inadvertent effect that vault records can be 
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(a) (b) (c) 

Figure 3: (a), (b) Two aligned vaults with chaff minutiae (gray and light- 
gray) and genuine minutiae (red and blue), (c) The genuine minutiae have 
a bias to be in agreement. 

cross-matched, it is even possible for the attacker to efficiently break two 
vault's templates and keys given the vaults protect templates from the same 
finger as it was first supposed by Scheirer and Boult in 2007 |31|. As a 
consequence, separating genuine points from chaff points via correlation has 
the potential to be much more efficient than merely attacking one of the 
vaults via brute-force. 

In 2008, Kholmatov and Yanikoglu [32] have demonstrated the effective- 
ness of the correlation attack. Against the fuzzy vault construction of Uludag 
et al. (2005) |18|, they experimentally observed 59% successful recoveries 
using the correlation attack against 200 matching vault correspondences. 
Moreover, the authors were able to perform the correlation attack within 
50 sec on average using a non-optimized Matlab implementation on a 3Ghz 
CPU. In comparison to the brute- force attack, which is expected to last 
~ 80 hours on a single core of a 3.2Ghz desktop computer (see Table pi), 
an intruder who has intercepted two matching vault records from different 
applications may quickly recover the corresponding templates and keys — 
even if he has no large database to perform a false-accept attack. 

Cross-matching might already be enabled just by matching alignment 



helper data (see [19 , 20 , 34| ) even though this alone does not imply that 
multiple records of the same template can be broken efficiently. While the 
possibility of cross-matching using alignment data alone is already an se- 
curity issue, it is especially an issue in combination with the correlation 
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attack: An adversary may filter out genuine vault correspondences from dif- 
ferent application's databases with the help of the public alignment data; 
afterwards, he can perform the correlation attack even faster because he can 
quickly align the vaults using the alignment data. Moreover, merely using 
alignment-free features as proposed by Li et al. (2010) |25| will not resolve 
the risk of cross-matching or attacks via record multiplicity. 

Nandakumar, Nagar, and Jain (2008) [21] proposed to incorporate an 
additional user password into the vault. Furthermore, the additional security 
provided by the user passwords may prevent the vaults from being cross- 
matched and from being vulnerable to the correlation attack. However, 
using a user password causes inconveniences that were actually meant to be 
resolved by biometric based authentication schemes (e.g., weak or forgotten 
passwords). 

In the next section we show that it is possible to implement a usable 
fingerprint fuzzy vault that is resistant against the correlation attack and 
that gets along without an additional user password. 

4 Implementation of a Cross-Matching Resistant 
Minutiae Fuzzy Vault 

We have shown that a single finger is not sufficient to provide a secure 
biometric cryptosystem due to a cryptographically non-negligible false ac- 
ceptance rate. Rather biometric cryptosystems that are based on multiple 
finger/modalities should be developed and analyzed more extensively. First 
steps have already been made (e.g., see (29l[30] ). However, it is obvious that 
merely fusing multiple finger to be protected by the fuzzy vault scheme will 
not resolve the problem of cross-matching or the correlation attack. 

In this section, we propose an implementation of a minutiae fuzzy vault 
that is inherently resistant against cross-matching and that gets along with- 
out an additional password (see |21j). Roughly speaking, we achieve cross- 
matching resistance using the simple idea of rounding minutiae to a rigid 
hexagonal grid; the minutiae angles are quantized as well. Each element of 
the rigid system to where a minutia is quantized encodes a genuine vault 
point while the remaining elements encode chaff points. As a consequence 
the feature set between different vault records are equal which makes cross- 
matching via correlation useless to attack the vaults. 

4.1 Vault Construction 

Minutia Quantization 

Given a minutiae template of a fingerprint, each of its minutia is quantized 
first. Let m = (a, b, 9) be a minutia at pixel (a, b) and of angle 6 £ [0, 360). 
Let Ri be the point of a (hexagonal) grid {Rq, . . . , Rr-i} laying within the 
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(a) 



(b) 



(c) 



Figure 4: The minutiae (a) positions are rounded to the location of the 
points of a hexagonal grid (b). Each other point of the grid (c) is used to 
encode a chaff point. 



fingerprint image's region that best approximates (a, 6). Furthermore, let 
j = [0/360 • s\ where s denotes the parameter controlling the number of 
values into where angles are quantized. Now, the integer i + r ■ j encodes 
the quantization of m. Let Xij G F denote the finite field element encoding 
i+r-j by some (but fixed) convention. Then the quantization of the minutia 
m is given by the map quant (m) i— )■ Xij. 

Note, that the feature set in where minutiae quantizations can occur is 



E = { X. 



«j 



0,...,r-l, j = 0, 



!}• 



Enrollment 

Let tmax be a bound on the genuine point's size and T be an input minutiae 
template that we want to protect. Write T = {mi,m2,...} and assume 
that if iTii is of better quality than xrij this implies i < j. The feature set 
A is defined to contain at most tmax quantizations of the first best-quality 
minutiae. Note, that A can contain fewer elements than T 



12 



Let t 



The next step is to bind the template quantized as A to a secret poly- 
nomial / G F[X] of degree < k. This is done as usual by letting the genuine 
set G = { (x, f{x)) \ X e A}. 



\T\. 



^If there are minutiae in T that have equal quantization then it is possible that | A| < 
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As in the usual vault, the genuine set is hidden among a large set of chaff 
points. But now, every element in E that is not contained in A corresponds 
to a chaff point. More precisely, C = { {x,y) \ xGE\A} where the ys are 
chosen uniformly at random from F such that y 7^ f{x). 

The vault consists of the union of genuine and chaff points. Furthermore, 
a cryptographic hash value of the secret polynomial is stored along with the 
vault. Thus the public vault is the tuple (V, h{f)) where V = G U C. 

Vault Authentication 

On authentication, a query minutiae template is given for which we assume 
that it is already aligned to the vault. Then the corresponding feature set 
B is extracted from the query template in the same way as A was extracted 
from the enrollment template. Using B the unlocking set is built out of those 
points from V that have abscissa value in B, i.e. U = { (x, y) G V | x G B }. 
Let CO = |A n B|. Then U contains exactly co genuine points. Thus, if 
u >k the secret polynomial / can be obtained from U in the same way as 
described in Section 12.21 



4.2 Training 

Our construction is controlled by the following parameters: 

• The minimal distance of the hexagonal grid points A which (together 
with the fingerprint image's dimension) controls the number of hexag- 
onal grid points r; 

• the number of values s into where the minutia's angle are quantized; 

• the bound tmax on the number of genuine vault points; 

• the size k of the secret polynomial. 

We performed systematical tests to determine a good configuration of the 
above parameters. Therefore we determined the GARs and the FARs on 
the FVC 2002 DB2-B (which is intended for training purposes; see [35]) for 
each configuration of 

A = 8,...,32; s = l,...,8; 

(6) 

'-max — -LU, . . . , DU, ft — i, . . . , tmax- 

For the GARs, each finger's zth impression was used to extract the feature 
set A; each jth (where j > i) impression of the finger aligned to the ith 
was used to extract its features B; if |A n B| > k this was accounted for 
as a genuine accept; otherwise it was accounted for as a false reject. For 
the FAR, each Jth finger's first impression was used to extract the feature 
set A; each Jth finger's first impression (where J > I) was used to extract 
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B; again, if | A n B| > k this was counted as a false accept; otherwise as a 
reject. 



The best configuratior ^^ was obtained as 



A = 29, s = 6, tmax = 44, and A; = 7 (7) 

with a GAR = 100% and FAR = 0%. The number of hexagonal grid points 
of minimal distance A = 29 that fit in an image of dimension 296 x 560 
is r = 242. For the angles are quantized into 5 = 6 possible values, the 
size of the vault is n = r • s = 1452. Thus, the brute-force security is 
bf (1452, 44, 7) ~ 2^^. If a higher security is sought, we may choose a higher 
k. 

4.3 Randomized Decoder 

The potential recognition performance of our construction looks promis- 
ing. However, there remains a problem concerning the decoding work. If a 
brute- force security at least 2'^^ is sought we may choose A: = 8. On an au- 
thentication attempt, an unlocking set of size up to tmax = 44 is built. If we 
would attempt to decode by iterating through all candidate polynomials of 
degree < k that interpolate k unlocking points, ( g ) ~ 2^^ iterations have to 
be performed in the worst case before the user is possibly accepted/rejected. 
This is too expensive for a usable system. 

As a countermeasure, we propose to randomize the decoding procedure 



of Section 2.2 Instead of iterating through all polynomials of degree < k 
that interpolate k unlocking points, we only iterate through at most T> 
polynomials each interpolating k randomly selected unlocking points. 

On authentication, if the unlocking set U contains uo >k genuine points 
the randomized decoder will successfully output the correct polynomial with 
probability at least 1 — (1 — bf(iinax,'^5 ^)~^)'^ which approaches 100% as 
P — 7- oo. Moreover, if the unlocking set U contains uj < k genuine points 
the randomized decoder will not succeed in decoding. Consequently, both 
GAR and FAR for a fixed k drop if the randomized decoder is used. 

Furthermore, the use of the randomized decoder only affects authentica- 
tion and not the vault construction. Thus, for a fixed k, the overall security 
does not suffer if the randomized decoder is used. 

4.4 Performance Evaluation 

For the configuration determined during the training and for different k, 
we performed performance evaluations of our implementation following the 



description of Section 2.4 We have chosen 2? = 2 " iterations for the ran 



domized decoder which corresponds to a reasonable amount of iterations 



^^The best configuration was defined as to yield the highest GAR at the lowest FAR; 
among these configurations, the one with maximal fc/tmax has been selected. 
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Table 5: Result of the Performance 


Evaluation 
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^ 91.96% (= 97%) 


^ 0.46% 
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^ 0.28 sec 
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= 8 


^ 86.82% (= 95%) 
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^ 0.06 sec 


^ 0.35 sec 
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^ 0.1 sec 


^ 0.41 sec 
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= 10 
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« 0.17 sec 


^0.51 sec 


Ri 2^^ 


= 11 


^ 63.11% (= 86%) 


= 0% 


^ 0.26 sec 


^ 0.60 sec 


^2" 


= 12 


^ 53.57% (= 80%) 


= 0% 


^ 0.39 sec 


^ 0.73 sec 


Ri 2®^ 



that is feasible on current hardware. In addition to genuine acceptance 
rates and false acceptance rates, the average genuine decoding times as well 
as the average impostor decoding times were determined. The results can 
be found in Table [H 

In order to compare our results with other fuzzy vault implementations, 
we also kept track of the genuine acceptance rate in which only the first two 
impressions are taken into account (the first impression is used for enroll- 
ment and the second as the query). The corresponding rates are denoted 
as sub-GAR in Table [U We reached sub-GAR = 91% in the case no false 
accepts have been observed. In comparison, on the same dataset Nagar et 

(2010) 23 achieve sub-GAR = 93% at zero false accepts while Li et 
achieve sub-GAR = 92%. Even though our results are only 



al. 

al. (2010) 

valid under a well-solved alignment framework our implementation provides 

resistance against the correlation attack — even without a user password 

(see [21]). 



4.5 Alternative Fuzzy Extractor Construction 

Another advantage of our implementation is that it can be easily modified 
to meet the requirements for the modified fuzzy vault construction proposed 
by Dodis et al. (2008) il4j. This construction avoids the generation of chaff 
points and significantly reduces the amount of memory that is required for 
storage. The changes that have to be made would not affect the construc- 
tion's performance or security against the brute-force or false-accept attack. 
For details of the construction we refer to [14] . 

However, without preventions, multiple records of the fuzzy extractor 
construction may become vulnerable to cross-matching, especially, if the 
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protected templates are equal. The way of cross-matching is similar to the 
decodability attack as it has been investigated by Kelkboom et al. (2011) [43| . 
Fortunately, applying a random bit-permutation process secures the fuzzy 
extractor construction from cross-matching based on the decodability attack. 
For details we refer to |43|. 



4.6 Security Analysis 

Our implementation provides good security against the brute-force attack. 
For example, if A: = 10 at a 52-bit brute-force security level we have em- 
pirically determined that an adversary can test 128, 205 polynomials per 
second on a single core of a 3.2Ghz desktop computer with four processor 
cores. Thus, if all four cores are used in parallel, he can expect to break an 
instance of our implementation after approximately 192 years. 

Our implementation obviously is resistant against the correlation attack 
and cross-matching via correlation. But the implementation's vulnerability 
against the false-accept attack remains to be evaluated. 



It is possible to analyze the false-accept attack analogous to Section |3.3 
using confidence intervals. But there is a more elegant way to estimate the 
false-acceptance rate. 

Assume that within an impostor authentication attempt an unlocking 
set of size t is built containing oj genuine vault points. Using D decoding 
iterations the vault can be unlocked with probability 

[0, if a; < A;. 

Thus, if in a test with A^ impostor authentication attempt the ith unlocking 
set is of size ti containing coi genuine vault points then we may estimate the 
false acceptance rate as FAR ^ -^^i=iP{ti,ijJi^V). Note, that the effort 
in authenticating increases linearly with the number of decoding iterations 
v. Therefore, we estimate the cost for a successful false-accept attack as 
log(0.5)/log(l-FAR) -v. 

As the attacker is free in choosing whichever decoder he prefers, he may 
choose the number of decoding iterations that minimizes the cost. 

Lemma 1. The cost for a successful false-accept attack is minimized for 
V = l. 

Proof. Let e{x) be the false- acceptance rate as a function in the number 
of decoding iterations x. Then g{x) = log(0.5)/log(l — e(x)) • x is the 
cost function of a successful false-accept attack. Note that we can write 
1 — e(x) = ]v X^af where < ctj < 1. Using Jensen's inequality we can 
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bound 1 — e(x) > [j^Yl '^i) • Thus, 
|log(0.5)| 



^^""^ |l0g(l-6(x))| 

|log(0.5)| 
which proves the lemma. 



X > 



log(0.5)| 



|iog((^E«01 

|log(0-5)| 



5(1) 



D 



The lemma enables us to estimate a lower bound for the cost of the 
false-accept attack against our implementation assuming the adversary also 
utilizes the randomized decoder. However, the attacker may prefer to use 
more than only one decoding iteration, e.g., if he uses a fingerprint database 
for the attack of medium size. Furthermore, the time needed to build the 
unlocking sets was not taken into account, but it increases the cost for a 
false-accept attack in practice. But for a security analysis, it is safer to rely 
on a lower bound. 

Hence, in a test of N impostor authentication attempts in where the 
ith unlocking set was of size ti containing uji genuine points, the cost for 
a successful false-accept attack can be estimated as log(0.5)/log(l — FAR) 
where FAR = -^ '^p{ti,uji) with 



p{ti,U}i) =p{ti,U}i,l) 



h{{ti,uji,k) ^ if LOi > k 
if cj,- < k. 



Table 6: Performance of the false-accept attack on a four-core desktop com- 
puter with 3.2Ghz. 



polynomial degree 


false acceptance rate 


expected time for a 


<k 


FAR 


false-accept attack 


= 7 


Ri 8.31-10-^ 


~ 36 sec 


= 8 


« 8.87- 10^9 


« 2 min 


= 9 


w 8.53-10-10 


« 21 min 


= 10 


« 6.95 -10-11 


~ 5 hours 


= 11 


Rs 4.40 -10-12 


~ 4 days 


= 12 


ss 1.86-10-13 


Ri 120 days 



To estimate the false acceptance rate of our implementation for different 
k, we simulated impostor authentication attempts on the FVC 2002 DB2-A 
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database following the FVC protocol which yielded A^ = 4, 950 impostor 
authentication attempts. For the simulations, we used the same configura- 
tions as in the performance evaluation. For the ith impostor authentication 
attempt, we quantized the first finger as the set A and the second as B. 
Then we let tj = |B| and counted Ui = |AnB|. Using p(tj,a;j) we estimated 
the false acceptance rate FAR for a single decoding iteration and the corre- 
sponding cost for the false-accept attack. Consulting the impostor decoding 
times determined during the evaluation we know how much 2^^ iterations 
of the false-accept attack cost. We used this information to determine the 
time for a successful false-accept attack on a 3.2Ghz desktop computer. The 
results can be found in Table [H 

Example 6. For example, if k = 9 the false acceptance rate was found to 
be FAR Ki 8.53-10"^'^ for a single decoding iteration. Thus, the attacker can 
expect to use approximately log(0.5)/log(l — 8.53 • 10"^'^) « 8.13 • 10® fin- 
ger as queries to successfully break the vault. As the time for 2^^ iterations 
was found to be IDT ^ 0.41 sec the time for a successful false-accept attack 
can be estimated as 8.13 • 10^/2^^ • 0.41 sec « 1-2 hours. If all four proces- 
sor cores were used in parallel, the time furthermore reduces to ^ 21 min 
which is much more efficient than the brute-force attack requiring 192 years. 
Please note, like other implementations our construction is also vulnerable 
to intensive false-accept attacks. 

5 Discussion and Outlook 

We investigated the security of current implementations of the fuzzy fin- 
gerprint vault. We found that, even if the brute-force attack is impractical 
against some implementations, this does not hold for the false-accept at- 
tack. This attack is feasible for every authentication scheme in which the 
false acceptance rate is non-negligible and thus it is for current implemen- 
tations of biometric cryptosystem protecting a single fingerprint's template. 
Even worse, according to our observations, the false-accept attack can be 
performed much more efficiently than the brute-force attack. One may ar- 
gue, that it is infeasible for an adversary to establish databases which are 
of sufficient size to perform intensive false-accept attacks off-line. First, in 
our view, this can not be prevented having in mind that there exist large 
databases containing real fingers. Second, the performances of false-accept 
attacks are hints for the existence of similar efficient statistical attacks. Such 
attacks may be prevented using multiple fingers or even multiple biometric 
modalities. Therefore, multi-finger fuzzy vaults should be investigated as a 
potential method wherever high security is important. And yet a significant 
risk remains: The correlation attack cannot be prevented merely by using 
multiple fingers. 

Therefore we endeavored to solve the problem of the correlation attack. 
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In this paper we have demonstrated that it is possible to implement a minu- 
tiae fuzzy vault that is resistant against the correlation attack without loss 
of authentication performance. Our implementation primarily relies on the 
simple innovation of rounding minutiae to a rigid grid while using the en- 
tire grid as vault features, thereby preventing attackers from distinguishing 
genuine from chaff features via correlation. Furthermore, to make vault 
authentication practical, we proposed to use a randomized decoder rather 
than systematically iterating through all candidate polynomials. Since the 
randomized decoder only affects vault authentication and not vault construc- 
tion, the randomized decoder does not adversely affect vault security. Well 
conceived, the randomized decoder may be incorporated into a wide variety 
of fuzzy vault implementations, not only fuzzy vaults with the express pur- 
pose of protecting minutiae templates of a single finger. Furthermore, our 
single-finger fuzzy vault construction that is resistant against the correlation 
attack may be generalized to a construction that protects multiple fingers. 
All experiments described in this paper can fully be reproduced using 
software available for download 
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We did not propose a mechanism for dealing with alignment for our 
vault construction. Although it would have been possible to adopt the ideas 
available in the literature that propose to store additional alignment-helper 



data publicly with the vault 17,19,20,33,34 it is not yet clear how this 



would affect vault security. Moreover, some of the proposals find accurate 
alignment via multiple candidate alignments: During authentication, for 
each candidate alignment an authorization attempt is performed until the 
correct secret is seen. Translating this method to multiple fingers is prob- 
lematic because the number of candidate alignments grows exponentially 
with the number of fingers. Consequently, fingerprint alignment techniques 
for multi-finger fuzzy vaults should be reconsidered. 

Ideally, fingerprints could be pre-aligned. This would make iterations 
through several candidate alignments obsolete. Moreover, fuzzy vaults pro- 
tecting accurately pre-aligned fingers do not need to store additional alignment- 
helper data which can cause unwanted information leakage regarding the 
corresponding finger. Prealignment of fingerprints is strongly related to 



the concept of intrinsic coordinate systems 44 , 45 . Unfortunately, current 
methods that extract intrinsic coordinate systems are not robust enough to 
produce fingerprint pre-alignment of sufficient accuracy. Although challeng- 
ing, it may be worthwhile to seek more robust methods to extract intrinsic 



^''This comprises performance analyses of the brute-force attack, performance evalua- 
tions of the minutiae fuzzy vault implementation as in Section |2J the training for deter- 
mining a good configuration of our cross-matching resistant minutiae fuzzy vault imple- 
mentation, its performance evaluations, and a program to analyze our implementation's 
resistance against the false-accept attack; these are sample programs for a C-|— f software 
library that we call thimble; visit http: //www. stochastik.math.uni-goettingeii.de/| 



biometrics for downloading its source code. 
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coordinate systems. 
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